Liability

As stated many times in the preceding paragraphs, the potential for liability to a company is huge. A company might incur liability if it fails to prevent or react to certain conditions and it is aware that they are occurring. These might include the possession or dissemination of illegal or copyrighted materials, the distribution of harassing emails or documents, and the use of corporate computers for illegal activities.

To be held liable, the company must be aware that these activities are taking place. However, knowledge by one or more officers of an organization is probably sufficient to establish knowledge. Going back to the policy on monitoring, it is important to distinguish between the right to monitor and the responsibility to monitor. If the company has a policy in place that allows it to monitor activities, it could be held that the company should have known about certain activities on the network.

Best practices in security are extremely hard to define. An organization is at risk, in litigation, of being accused of not following best practices. For example, the organization could state that it does not use intrusion-detection software and was therefore unaware that certain attacks were occurring. However, if the majority of the organization's peers are using IDSs, it could be construed that the company was negligent in not employing certain control measures. It could even be interpreted that, had the company been complying with best practices, it should have known about the activity.

Unfortunately, the net effect is that a company can be liable whether or not it knew about an activity. The only advice is to attempt to mirror security practices among peer industries and to ensure that appropriate policies are in place and enforced.

Appropriate monitoring and search policies, including consent by employees to monitoring and searches, can go a long way in preventing employee lawsuits during an investigation. Although the rules of evidence are different for private organizations and in administrative proceedings , the consequences are also different. Instead of having evidence thrown out as inadmissible, an organization can be sued by the employee or union or can be prosecuted by local authorities for violating employment laws.

Proper legal counsel should always be consulted early in any incident investigation. As previously discussed, laws are changing constantly, and the precedents are unclear at best. All the legal statements in this chapter (and, in fact, in this book) are general by nature. Laws and statements are subject to change and interpretation by authorities.

Corporate legal counsel (or qualified external counsel) is a critical part of the incident response team. The counsel's objective is to protect the company by providing qualified advice about the legal issues in the incident. This includes, where appropriate, advice about the legal rights of the accused (if only to ensure that evidence is not excluded in later proceedings).

There are other potential dangers in addition to improper searches. A poorly conducted investigation, especially if the incident response team has already formed a theory, could result in punishing the wrong employee. If this happens, the company can face wrongful termination lawsuits. Even if the company has no intention of prosecuting the offender, consultation with an organization's legal and human resources can ensure that all the proper steps are taken during the investigation and subsequent administrative or disciplinary actions.

Not only can an organization be liable for the actions of employees, it also can be liable for failing to properly prevent external attacks. New regulations might require certain industries to maintain adequate safeguards of personal data; failure to do so can result in civil or criminal penalties against the organization. In addition, if personal data is compromised, the individual can always sue the organization directly.

If a high-profile attack occurs that impacts the company's earnings or reputation, shareholders can sue the company or its officers and directors and assert that the company failed to maintain fiscal responsibility by not implementing adequate defenses.